Network Shell for the Rio Receiver

Home » Projects » Rio Audio Receiver Hacking » Network Shell for the Rio Receiver

Getting A Network Shell

Well, this is actually a lot easier than it seams, thanks to the work done by Jeff Mock. The secret is to use an old hacking technique involving netcat and bash. Has the light bulb lit yet? If not, here's what you need to do.

  1. Getting Netcat
    There are two ways you can do this, first off, you can download Netcat 1.10 for Unix. Apply this patch, and then compile it using Jeff's toolchain.
    # make linux CC=arm-linux-gcc DFLAGS=-DGAPING_SECURITY_HOLE

    Or you could just download the binary from me. You'll also need a copy of netcat for your operating system -- either compile one on your linux box or track down a windows binary.
  2. Getting a Wrapper
    There is probably an easier way to do this, but this worked on the first try for me, so I'm sticking with it. Basically, compile the following code using the arm toolchain. Or you could grab the compiled binary from me.
    #include <stdlib.h>
    int main () {
    	system("/bin/nc -l -p 5000 -e  /bin/bash &");
    	return 0;
  3. Getting Bash
    There are several ways to do this. The easiest is to get a hold of Jeff's dev-fs-image.tgz file, which contains bash, termcap, and some other goodies. Otherwise, refer Jeff's site on how to build your own.
  4. Install Bash, Netcat, and my Wrapper.
    If you've got an NFS server setup, serving the files to the RIO (again, see Jeff's site if this is at all confusing), then you would simply do this :
    # cd /tftpboot/[ip_address_or_hostname]/
    # tar zxvf /[path_to]/dev-fs-image.tgz 
    # cp /[path_to]/nc bin
    # cd empeg/bin
    # mv player.orig
    # cp /[path_to]/player.
    You could also do this, in theory, to the .arf file (that came with the rio system and contains the NFS directory structure) on your windows box, and not have to deal with the entire linux-server setup. However, you'll probably have to go down that route if you're planning on doing any hacking.

Now for the fun stuff

Now, hard-reboot the rio (unplug it and plug it back in). When the player comes up, you should have a copy of netcat running in the background listening to port 5000. You can get the IP address of the rio by hitting the menu button, then scroll to About Receiver, then scroll down till you see the IP address listed.. Now you should be able to connect to it.
# nc [ip_address] 5000
ps aux
  PID  Uid      Gid State Command
    1 0        0        S -bash
    2 0        0        S [kflushd]
    3 0        0        S [kupdate]
    4 0        0        S [kpiod]
    5 0        0        S [kswapd]
    6 0        0        R [rpciod]
    7 0        0        S /empeg/bin/player
    9 0        0        S bash
   10 0        0        S sh -c /empeg/bin/player.orig
   11 0        0        S /empeg/bin/player.orig
   12 0        0        S /empeg/bin/player.orig
   13 0        0        S /empeg/bin/player.orig
   14 0        0        S /empeg/bin/player.orig
   15 0        0        S /empeg/bin/player.orig
   16 0        0        S /empeg/bin/player.orig
   17 0        0        S /empeg/bin/player.orig
   18 0        0        S /empeg/bin/player.orig
   19 0        0        S /empeg/bin/player.orig
   20 0        0        S /empeg/bin/player.orig
   21 0        0        S /empeg/bin/player.orig
   22 0        0        R ps aux 
kill 10
ps aux
  PID  Uid      Gid State Command
    1 0        0        S -bash
    2 0        0        S [kflushd]
    3 0        0        S [kupdate]
    4 0        0        S [kpiod]
    5 0        0        S [kswapd]
    6 0        0        S [rpciod]
    9 0        0        S bash
   23 0        0        R -bash
   24 0        0        R ps aux
cat /proc/cpuinfo
Processor       : ARM/VLSI arm720 rev 2
BogoMips        : 65.33
Hardware        : CL-PS7212
cat /proc/empeg_id
hwrev : 02
serial: 09133
build : 00000000
id    : 2ef706a2-369b13ae-3faf136f-6c9410e2
ram   : 4096K
flash : -1K
dtype : 1
Note that it's really slow to interact with the receiver if the player application is running, that's why I always kill it. The process ID always is 10 when I boot up, but your mileage will vary.